corosync+pacemaker under iptables and selinux

-A INPUT -p igmp -j ACCEPT
-A INPUT -m addrtype –dst-type MULTICAST -j ACCEPT
-A INPUT -p udp -m state –state NEW -m multiport –dports 5404,5405 -j ACCEPT

mcastport: 5405

SElinux policy module:

module corosync 1.1;

require {
type corosync_t;
type sysctl_kernel_t;
type lib_t;
class dir search;
class file { read execute_no_trans };
}

#============= corosync_t ==============
allow corosync_t lib_t:file execute_no_trans;
allow corosync_t sysctl_kernel_t:dir search;
allow corosync_t sysctl_kernel_t:file read;

 

P.S. sealert -a /var/log/audit/audit.log

Author: GergunD

Leave a Reply